Troubleshooting

I am having trouble getting sme to send and receive email.

Sending and receiving email are separate functions. You need to investigate each individually.

Sending

If SME server does not send mail, you need to examine the /var/log/qmail/current logs to see what happens when it tries. Most commonly problems can be solved by sending via your ISP's mail server, possibly using encryption and/or authentication. Read the manual.

Receiving

If SME server does not receive mail, then you need to ensure that SMTP connections reach your SME server (DNS settings, router configuration, ISP port blocks) and then you need to examine /var/log/qpsmtpd/current logs to determine what SME server does with the incoming connections. Most problems are DNS, router or ISP issues, and have nothing to do with SME server operation or configuration.

qpsmtpd "Connection Timed Out" errors

A qpsmtpd timeout error may arise, this is not an issue that is caused by SME server directly, however it can become an issue depending on hardware and configuration settings that are contained in and around other enviroments.

As discussed in Bugzilla:6888 a workaround was found that may help in mitigating the issue.

The tracepath utility (included with SME 8.0 and SME 7.6) can be used to locate non-standard MTU values between your SME server and any remote host.

You can discover the smallest MTU between you and google.com (for example) by running this command, then locating the smallest value of "pmtu" in the results:

tracepath google.com

If tracepath returns any value below 1500 between your SME server and a mail server that you need to receive email from, you may need to reset the MTU on the SME server to match the smallest value returned.

For example, if tracepath returns 1492 (typical for internet connections using PPPoE), you would need to set the MTU on your SME server to the same value (1492) using the following:

Webmail broken after upgrade

After the usual post-upgrade and reboot, webmail is broken with messages like the following in the messages log:

Apr 20 17:29:53 mail [4614]: PHP Fatal error: Call to a member function on a non-object in /home/httpd/html/horde/imp/lib/Block/tree_folders.php on line 65
Apr 20 17:29:53 mail [4614]: PHP Warning: Unknown(): Unable to call () - function does not exist in Unknown on line 0

As workaround, logout of Horde, close the browser, reopen, log in to Horde, Webmail should now be fully functional. (Based on suggested fix in Bugzilla:5177)

Spam

Spamassassin

Spam filter with Server-Manager

Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable defaults.

Virus scanning Enabled

Spam filtering Enabled

Spam sensitivity Custom

Custom spam tagging level 4

Custom spam rejection level 12

Sort spam into junkmail folder Enabled

Modify subject of spam messages Enabled

Message Retention Time

Set spamassassin for automatically delete junkmail.
You can change the "days" that spamassassin sets to automatically delete junkmail, to delete after two months

Each custom score goes on its own line. If you enter a score surrounded by parentheses, the "custom" score will be added to the default score for the specified test (use score TEST_NAME (-1) to reduce the score for 'TEST_NAME' by 1)

Then set your custom rule scores using the Custom Rule Scores section of this page. You should base these scores on your settings in server-manager > Configuration > Email > Change e-mail filtering settings or via db config commands for those with that skillset

In our testing an email that doesn't match SPF records and the sender domain owner has defined a soft fail, if is attributed 6 points and sorted to junkmail folder. If the sender domain owner has defined a hard fail the email attibuted 14 points and is subsequently rejected.
References (but instructions changed to meet new qmail structure):

Many will argue what's best, some say the SME defaults are too aggressive and affect some popular free webmail accounts, but most would agree that you can set stable, conservative and non aggressive settings by:

Server Only

Some of the spam filter rules cannot work unless the SMESERVER knows the external IP of the box. If you put a SMESERVER in server-only mode behind other firewalls, it will lose some of the anti-spam rules. For example, the rule that blocks attempts where spammers try "HELO a.b.c.d" where a.b.c.d is your external IP address.

Unfortunately, many admins believe that port-forwarding SMTP provides additional security. It doesn't, it limits the SMESERVER's ability to apply some rules.

I want to enable GreyListing

GreyListing support is under the covers and can easily be enabled for those who know what they are doing. However, many experienced users found that they spent more time looking after the greylisting configuration than they received in benefit.

Bayesian Autolearning

The default SME settings do not include bayesian filtering in spamassassin to allow spamassassin to learn from received email and improve over time. Bugzilla: 6822

The following command will enable the bayesian learning filter and set thresholds for the bayesian filter.

Note: SpamAssassin requires at least 3 points from the header, and 3 points from the body
to auto-learn as spam.
Therefore, the minimum working value for this option is 6, to be changed in increments of 3,
12 considered to be a good working value..

The Sonora Communications "Spam Filter Configuration for SME 7" howto

GeoIP: spam blocking based on geographical information

The GeoIP plugin for Spamassasin lets us know where our mail server is receiving mail from. If we're receiving too much spam from a particular location, this will help track it down. We can then use that info to reject connections from that place taking the load off our server.

Note:

This can be a crude way of blocking spam and potentially also block legitimate users!

Anti Virus

Signatures

By default SME Server will automatically get virus signature database updates from ClamAV.

Other people and organizations have developed additional signatures which can also be used with ClamAV to provide extra protection. Databases of these signatures can be downloaded and installed on SME Server, and used by ClamAV

In order to automate the download and installation of the additional databases, as well as control which databases you use, follow the instruction in the Virus:Additional Signatures Howto

Heuristic Scan

HeuristicScanPrecedence is a new option in clamav 0.94.

When enabled, if a heuristic scan (such as phishingScam) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time.

You can see if you are running out of the number of available connections in your log file /var/log/imaps/current and look for messages like the log extract below where the ConcurrencyLimitPerIP was set to 20. A 21st connection was attempted and was denied.

Mobile devices have a tendency to frequently disconnect and connect from the network. When this disconnect happens, the sessions on the server are not always immediately cleaned up (they get cleaned up after a time out of some minutes). When the email client reconnects, they create new network connections and you get into the situation that these new connections get denied because of the concurrency limit. On the mobile device this may be noted as a "Unable to connect to server" message.

Tip:

Some email clients use a separate connection per imap folder, so the concurrency limits may occur for users that have many imap folders.

Mail server is not an IMAP4 mail server

This is a bug in Thunderbird, the previous tips may help

The Bat

The gives this error message, but they are wrong.
"This server uses TLS v3.0 which is considered to be obsolete and insecure.
The server must use TLS v3.1 or above."

If the registry entry above does not exist on your system, you will have to create it manually.

Whether this is OpenSSL or Microsoft's "fault" is currently not answered.

Outlook test message doesn't come through

You clicked the TEST ACCOUNT SETTINGS in OUTLOOK didn't you? This is a bug in OUTLOOK. The test message sends a test email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected. To test, send an actual message from OUTLOOK.

If you want, you can try THUNDERBIRD. It's like OUTLOOK but made by a different company. It's completely free and works very well at home and at the office.

Most likely, this is a bug the application you're using and not a problem with the SMESERVER. The application sends an email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected.

As a workaround you can disable the check for the 'Date header'.
To disable this check on the internal interface:

The main problem here is that Entourage will only support trusted, PEM Base-64 Encoded certificates. To use IMAPS or SMTPS from Entourage with your SME server, you will need to:

1. Login to your Mac as a user with administrative privileges
2. Open Safari and browse to https://smeserver/server-manager.
When you receive the warning about your certificate:
- click on "Show Certificate"
- click and drag the gold-rimmed image of a certificate to your desktop.
You will now have myserver.mydomain.tld.cer on your desktop.
3. Locate and open the Microsoft Cert Manager
- "Import" the certificate you downloaded in step 2.
4. Highlight the imported certificate and "Export" it.
- Select the "PEM..." format
- add "pem." to the beginning of the filename
- export it to your Desktop
5. Double-click on the new pem.myserver.mydomain.tld.cer
- Apple's Keychain Access application will open.
- Select the X509Anchors Keychain and click "OK"
6. While still in Apple's Keychain Access, select the "Certificates" category
- Drag pem.myserver.mydomain.tld.cer into the certificates window.

You should now be able to connect to your SME from your Entourage using IMAPS.

If you are accessing your SME server using a different name than the one encoded in the certificate you will still receive a security warning from Entourage, but "OK" will now grant access to your folders.

Set max email size

IMPORTANT: bugzilla: 7876 points out that if your system has /var/service/qpsmtpd/config/databytes it should be deleted. (Fixed as of smeserver-qpsmtpd-2.4.0-7.el6.sme.noarch - see bugzilla: 8329).

There are several components involved in sending email on a SME server. Each component has a size limit that may affect an email message that passes through the server.

Be aware that email size is not the same thing as attachment size. Binary attachments to email are encoded using techniques that result in email sizes that can be as much as 30% larger than the original attachment. Most major email clients (Thunderbird, Apple Mail, Outlook) allow you to enable a "message size" column in the message list that will show you the size of your email messages (More).

Subsystem

Function

Default Limit

Command to change size

Notes

qmail

Delivers email to local mailboxes and to remote servers

15000000

config setprop qmail MaxMessageSize xx000000

Value is in BYTES. 15000000 equals approximately 15MB.No value means no limit.

Add the admin user as an administrator for Horde

config setprop horde Administration enabled
signal-event email-update

Large attachments not displaying in webmail

Due to limits set in the PHP configuration it might be that webmail will not display large attachments (see also bugzilla:3990). The following entries are related to the error and can be found in the log files:

SMTP Authentication TLS before Auth disable & enable

Since SME v7.5 the default for SMTP Authentication is 'requires TLS before Auth' to increase security.
Where a SME7.4 or earlier server with SMTP & SSMTP authentication enabled has been upgraded, users are now unable to send mail.
Users will need to enable TLS or Auto for the Authentication encryption setting in their email clients. Some older email clients and devices do not support TLS.

A fix was released in SME7.5.1 to allow this setting to be disabled (ie revert to SME7.4 functionality). Upgrade to SME7.5.1 before using these commands.

Internet provider's outgoing port 25 is blocked: How to set an alternative outgoing port for the SMTP server

If your Internet provider is blocking outgoing smtp port 25 on your internet connection but your provider is offering an alternative outgoing port (or when using some relay service) you can simply set this alternative port by adding it to the 'Address of Internet provider's mail server' value in the 'E-mail delivery settings' screen of the server-manager like this:

There are two main sections, Blacklist and Whitelist, where you can control settings.

Blacklist - Black lists are used for rejecting e-mail traffic

DNSBL status - DNSBL is an abbreviation for "DNS blacklist".
It is a list of IP addresses known to be spammers.
RHSBL status - RHSBL is an abbreviation for "Right Hand Side Blacklist".
It is a list of domain names known to be spammers.
qpsmtpd badhelo - Check a HELO message delivered from a connecting host.
Reject any that appear in badhelo during the 'helo' stage.
qmail badmailfrom - Check envelope sender addresses.
Reject any that appear (@host or user@host) in badmailfrom during the 'mail'
stage.

Whitelists - White lists are used for accepting e-mail traffic

Whitelists status - White Lists: ACCEPT
qpsmtpd whitelisthosts - Any IP address listed in whitelisthosts will be exempted
from any further validation during the 'connect' stage.
qpsmtpd whitelisthelo - Any host that issues a HELO matching an entry in whitelisthelo
will be exempted from further validation during the 'helo' stage.
qpsmtpd whitelistsenders - Any envelope sender of a mail (@host or user@host) matching an
entry in whitelistsenders will be exempted from further validation
during the 'mail' stage.
spamassassin whitelist_from - Any envelope sender of a mail (*@host or user@host) matching an
entry in whitelist_from will be exempted from spamassassin rejection.

How to block email from one address to another address with check_badmailfromto plugin

This is based heavily on the similar check_badmailfrom, but this plugin references both the
FROM: and TO: lines, and if they both are present in the badmailfromto
config file (a tab delimited list of FROM/TO pairs), then the message is
blocked as if the recipient (TO) didn't exist. This is specifically designed
to not give the impression that the sender is blocked (good for cases of
harassment).

Domain Authentication

trex1512 has marked this page as a Work in Progress. The contents off this page may be in flux, please have a look at this page history the to see list of changes.

Major mail hosting companies (Google, Yahoo, Microsoft) have made domain-authentication mandatory so as to not mark incoming mail as spam.

To facilitate this support for DomainKeys and DKIM signing needs to be enabled in SME's mail subsystem. These techniques require the adding of records in the DNS zone for the user's domain. The DKIM/DK/SPF/SenderID configuration has to be added to your your DNS server / registrar.

How do I remove an email address from the everyone group

By default, all users are automatically added to the user group "everyone". If you would like to remove a user from this group, connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.

Check with your DNS server / registrar. Something similar to the following should work but it varies depending on provider - replace <fully qualified domain name> with your doman details e.g "mydomain.org" (less the <> brackets):

When extracting the key text from the dkim.public file it's on multiple lines. For the key to work for us in the DNS TXT record we need to exclude the header & footer lines & have just the key text as a single line string (the setup_dkim.sh script provides this info in the format required).

If you want to customize the signing you can add parameters to the line in /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign. Parameters and value are separated by a space only.

NB: key files can not be defined in parameters, they need to be in /var/service/qpsmtpd/config/dkimkeys/{SENDER_DOMAIN}.private

Tip:

You can verify that your settings are correct by sending an email to check-auth@verifier.port25.com, a free service the purpose of which is to verify if your domain does not contradict mail policies. Please check the answer carefully. See bugzilla:4558#c6

Other information

Temporary_error_on_maildir_delivery

In certains cases you have some mailboxes which can't delivery messages and the qmail log say:

deferral: Temporary_error_on_maildir_delivery._(#4.3.0)/

It is probably that your users want to go beyond the upper limit of their quota, so you have to increase it. This could solve their problems.

External Access

Allow external IMAP mail access

There was a deliberate decision to remove non-SSL protected username/password
services from the external interface.

Warning:

Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet

to allow unsecure IMAP access

config setprop imap access public
signal-event email-update

But before you do this try to use secure IMAP (IMAPS or imap over ssl) with port 993

POP3 & webmail HTTP

I want to set my SMESERVER to allow POP3 (or webmail HTTP) but it's not an option, I only see POP3S (or webmail HTTPS).

The SMESERVER is secure by design. POP3 (or webmail HTTP) is viewed as inadequate security and removed as an option from a standard installation to encourage unknowing administrators to select the 'best practice' option -a secure connection with POP3S, IMAPS, or HTTPS.

Warning:

Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet

You can still set your SMESERVER to allow POP3 settings by:

config setprop pop3 access public
signal-event email-update

Allow external pop3 access

Email settings > POP3 server access in SME 7.1 server-manager allows only pop3s protocol for clients outside the LAN. Some email clients (eg The Bat! v3.98.4) won't allow pop3s connections to SME 7.1 because of ssl version conflict. Until this is sorted out, a workaround is to hack SME to allow regular pop3 on the external interface using the following commands.

Warning:

Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet

Log watching tool

Default Plugin Configuration

SME maintains 2 distinct configurations: one for the 'local' networks (as defined in server-manager::Security::Local networks) and another for 'remote' networks (everyone else).

The default configuration of each plugin is indicated in the 'Default Status' column.

Plugin

Purpose

Default Status

hosts_allow

Prohibit more than "InstancesPerIP" connections from any single host (change with 'config setprop smtpd InstancesPerIP'). Allow or deny connections according to the contents of /var/service/qpsmtpd/config/hosts_allow. See hosts_allow SVN code for more details.

Allow different plugin configuration based on the sending computer's IP address. By default SME maintains different configurations for the local networks (in /var/service/qpsmtpd/config/peers/local) and for everyone else (in /var/service/qpsmtpd/config/peers/0)

Check to see if relaying is allowed (in case the recipient is not listed in one of SME's local domains)

enabled

check_norelay

Check to see if the sending server is specifically forbidden to relay through us.

enabled

require_resolvable_fromhost

Check that the domain listed in the sender's email address is resolvable

enabled (remote)disabled (local)

check_basicheaders

reject email that lacks either a From: or Date: header

enabled

rhsbl

Reject email if the sender's email domain has a reputation for disregarding smtp RFCs.

disabled(always disabled for local connections)

dnsbl

Reject email from hosts listed in your configured dnsbl servers

disabled

check_badmailfrom

Reject email where the sender address is listed in /var/service/qpsmtpd/config/badmailfrom

enabled

check_badrcptto_patterns

Reject email addressed to any address matching an expression listed in /var/service/qpsmtpd/config/badrcptto_patterns

enabled

check_badrcptto

Reject email addressed to any address listed in /var/service/qpsmtpd/config/badrcptto

enabled

check_spamhelo

Reject email from hosts that say 'helo ...' using a value in /var/service/qpsmtpd/config/badhelo

enabled

check_smtp_forward

If config show DelegateMailServer or db domains show <domainname> MailServer is set (telling SME to deliver email for all domains or just <domainname> to another server), check_smtp_forward will connect to the specified server and will reject the message outright if the internal mail server would also reject it.

disabledunless an internal mail server is configured.

check_goodrcptto

Accept email only if the recipient address matches an entry in /var/service/qpsmtpd/config/goodrcptto. For domains that are configured to use an internal mail server, the entire domain name will be added to .../goodrcptto.

enabled

rcpt_ok

Return 'OK' if none of the other host checks has returned 'DENY' (??)

enabled

pattern_filter

Reject email according to content patterns (??)

disabled

tnef2mime

Convert MS TNEF (winmail.dat) and uuencoded attachments to MIME

enabled

disclaimer

Add a configurable disclaimer to email messages

disabled

spamassassin

Check email using spamassassin, and optionally reject it completely if the score exceeds a configurable value.

disabled(always disabled for local connections)

virus/clamav

Scan incoming email with ClamAV

enabled

queue/qmail-queue

Deliver the incoming message to qmail for delivery.

enabled

Other QPSMTPD Plugins

The following qpsmtpd plugins will work on a SME server, but are either not included or are not configured by default.

Internal or External Mail Servers

SME can be configured as a spam and antivirus filter for one or more "Internal or External" mail servers on a domain-by-domain basis. The mail server specified does not have to be on the same local network as your SME server, & can be hosted on an external site.

Deliver ALL email to a single internal or external mail server

You can set the default delivery location for all domains on your SME server to a single internal or external mail server by setting the mail server address in server-manager::Configuration::E-mail::Change e-mail delivery settings::Address of internal mail server.

Note: Address of internal mail server must be blank if you want any email delivered to the SME server itself.

Deliver email for one domain to an internal or external mail server

You can override the default email delivery destination for individual domains on your SME server (forwarding all email for the specified domain to another server) as follows:

Secondary/Backup Mail Server Considerations

Many people misunderstand the issues of using a secondary or backup
mail server (backup MX) to hold your mail before it gets delivered
to your SME Server. If you consider putting a backup mail server in
place because you are concerned about lost mail because your internet
connection may occasionally drop out, think again and consider the issues
discussed below.

What is Backup MX

A backup MX is a system whereby through your DNS records you tell other
servers on the internet that in order to deliver mail to your domain they
first need to try the primary MX record and if they fail to connect they
can try to connect to one or more of your listed backup or secondary mail
servers. See also http://en.wikipedia.org/wiki/MX_record

The process of delivering email to your SME Server

So lets look at how mail gets delivered without and with a
backup mx when your Internet link, ISP or server is down.

Without a backup MX

The sending mail server cannot connect to your server.

The sending mail server MUST queue the mail and try again later.

The mail stays on the sender's server.

The sender's server resends the mail at a later date.

The requirement to re-queue is a fundamental part of the SMTP protocol -
it is not optional. So, if your server is offline due to a link or ISP
outage, the mail just stays at the sender's server until you are once
again reachable.

With a backup MX

The sending mail server cannot contact your server.

The sending mail server sends the mail to your secondary MX.

The secondary MX queues the mail until your link/server is up.

The mail is queued on an untrusted third-party mail server (think about confidential mail between your company and some business partner).

The sending mail server's administrator thinks it has been delivered, according to their logs.

You have no, or little, visibility over the queued mail.

When your link comes up, the secondary MX sends the mail on to your server.

You have added more hops, more systems and more delay to the process.

If you think that a backup MX will protect against broken mail servers
which don't re-queue, you can't. Those servers will drop mail on the floor
at random times, for example when their Internet link is down.

Those servers are also highly likely to never try your backup MX.

Thankfully those servers are mostly gone from the Internet, but adding a
secondary MX doesn't really improve the chances that they won't drop mail
destined for your server on the floor.

Backup MX and SPAM Filtering

On top of the issue, indicated above, there is another issue to consider
and that is what happens with SPAM due to the use of a Backup MX.

Your SME Server takes care of filtering a lot of SPAM by checking on the full
username & domain at the time it is received.

For example if your server hosts example.com and someone sends
mail to joeuser@example.com, the server will only accept the mail
if joeuser is a local user/alias/group/pseudonym on the server.
Otherwise, the mail is rejected during the SMTP transaction.

A backup mail server however, generally does not have a full list of
users against which it can check if it should accept the mail for the given
domain. Hence it will accept mail for invalid users.

So:

If you trust the secondary MX, you will accept a lot of SPAM when the link comes up.

If you don't trust it, you will cause a lot of SPAM backscatter as the mail has been accepted at the secondary MX and then later bounced by you.

The SPAM backscatter can only be stopped if the secondary MX has a full list
of users for your domain to allow filtering to occur.

But:

You need to be able to configure this secondary MX with such user/domain lists

You need to maintain these secondary configurations when users are added/deleted from your primary server configuration

You need to test (regularly) if the secondary is successfully accepting/rejecting mail as required.

Quite a few sites have lost lots of mail through misconfigured backup MX servers. Unfortunately, the time when you find
out they are misconfigured is when you go to use them, and then you find that the backup MX has changed configuration and bounced all of your mail.

Then you realise that this mail could have queued at the sender's site if there hadn't been a broken secondary MX bouncing the mail for you.

If you bounce mail at your server, you have logs to show what's wrong.

If your secondary MX bounces your mail, you usually have no way to determine what happened other than via reports from the original senders that your mail bounced.

Summary

In summary, if your server/Internet connection is available most (let's say >90%) of
the time, you are generally better off without a secondary MX.

If your server/link is down more than this (e.g. dialup), you should not be delivering mail
directly to your server.

If you still want to consider setting up a seconday MX, ensure that:

you have fully control of the configuration of each of the email gateways for your domain

each gateway can make decisions on whether to accept/reject mail for the users at the domain

Mail server on dynamic IP

Problems with running a mail server on SME server using a dynamic external IP from ISP

You have no control over this issue and you will lose mail when it happens. If you have a dynamic IP, the recommended approach is to get someone with a static IP to queue your inbound mail and send it to you on a non-standard port, preferably with an authentication mechanism which queues the mail if the auth fails, just in case someone else happens to have a mail server on the same port (while highly unlikely, this is possible).

Whether this issue is really a problem to end users, depends on how much you "value" your mail. For a home user having their own mail server, it is probably not a great problem if some messages should happen to go astray, but for all other classes of users, you should really avoid running a mail server on a dynamic IP, without implementing a suitable queueing workaround as suggested. Some ISPs change the IP very infrequently eg yearly, so in those cases it is also not a significant problem. Many/most ISP's will issue a new IP every time a connection is lost & re-established, so these situations are more problematic.